4:39 p.m.
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
Thanks.
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
10:53 p.m.
Try something like this:
/usr/local/libexec/slapd -u ldap -h "ldap:// ldaps://"
Geert
-----Original Message-----
From: openldap-software-bounces+geert.van.muylem=skynet.be(a)OpenLDAP.org
[mailto:openldap-software-bounces+geert.van.muylem=skynet.be@OpenLDAP.org]
On Behalf Of Rob Tanner
Sent: dinsdag 31 oktober 2006 1:39
To: openldap-software(a)openldap.org
Subject: OpenLDAP configured for TLS not listenting on port 636
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
Thanks.
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
12:04 a.m.
Geert,
When I start the server by hand using you suggested startup, the server
does indeed listen on port 636. But when I modify the default startup
script (included in the Fedora distro) and restart it, it was no longer
listening on port 636. That made me look at the startup in more
detail. The script starts the daemon be calling the daemon function in
the functions script with the full command line as a parameter. If I
start the server directly and not through the daemon function, it works
properly (i.e., listens on port 636 and responds to ldaps:// queries)
whether the startup is -h "ldap:// ldaps://" or -h "ldap:///
ldaps:///". I don't understand it, but it works correctly every time
now. I think I need to look at that daemon function to see what's going
on. Perhaps it's entirely superfluous.
Anyway, thank you much. Your help got me started on finding the
problem. Now I can go and get a real certificate from the CA and move
the server into production.
-- Rob
On 10/30/2006 10:53 PM, Geert Van Muylem wrote:
Try something like this:
/usr/local/libexec/slapd -u ldap -h "ldap:// ldaps://"
Geert
-----Original Message-----
From: openldap-software-bounces+geert.van.muylem=skynet.be(a)OpenLDAP.org
[mailto:openldap-software-bounces+geert.van.muylem=skynet.be@OpenLDAP.org]
On Behalf Of Rob Tanner
Sent: dinsdag 31 oktober 2006 1:39
To: openldap-software(a)openldap.org
Subject: OpenLDAP configured for TLS not listenting on port 636
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
Thanks.
1:23 a.m.
I always use the following command:
# slapd -h "ldap://:389 ldaps://:636"
Regards,
Phillip
On Tue, 2006-10-31 at 07:53 +0100, Geert Van Muylem wrote:
Try something like this:
/usr/local/libexec/slapd -u ldap -h "ldap:// ldaps://"
Geert
-----Original Message-----
From: openldap-software-bounces+geert.van.muylem=skynet.be(a)OpenLDAP.org
[mailto:openldap-software-bounces+geert.van.muylem=skynet.be@OpenLDAP.org]
On Behalf Of Rob Tanner
Sent: dinsdag 31 oktober 2006 1:39
To: openldap-software(a)openldap.org
Subject: OpenLDAP configured for TLS not listenting on port 636
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/Certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/Certs/newkey.pem
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
Thanks.
11:47 p.m.
Rob Tanner <rtanner(a)linfield.edu> writes:
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?
The examples in man slapd(8) show the URLlist quoted
-h "ldap:/// ldaps:///"
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
N 53°37'10.08"
E 10°08'02.82"
GPG Key ID:8EF7B6C6
12:16 a.m.
Dieter,
The quotes are for the shell so that "ldap:/// ldaps:///" are not broken
into two hunks by shell. They won't show up in a "ps" command because
they're not passed (and aren't supposed to be passed) to slapd. Thanks
to some help from Geert Van Muylen, I found the source of the problem in
the startup script and fixed it. It will take me a while to actually
understand the failure mechanism, but since I could pinpoint it, I was
able to successfully work around it.
-- Rob
On 10/30/2006 11:47 PM, Dieter Kluenter wrote:
Rob Tanner <rtanner(a)linfield.edu> writes:
> A ps command confirms that the start-up script did the right thing:
>
> /usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
>
> But ssl connections fail and a netstat command only shows the server
> listening on port 389.
>
> Is there something I'm missing at this point merely to get the server
> listening on port 636?
>
The examples in man slapd(8) show the URLlist quoted
-h "ldap:/// ldaps:///"
-Dieter
12:35 a.m.
--On Tuesday, October 31, 2006 8:47 AM +0100 Dieter Kluenter
<dieter(a)dkluenter.de> wrote:
Rob Tanner <rtanner(a)linfield.edu> writes:
>
> A ps command confirms that the start-up script did the right thing:
>
> /usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
>
> But ssl connections fail and a netstat command only shows the server
> listening on port 389.
>
> Is there something I'm missing at this point merely to get the server
> listening on port 636?
The examples in man slapd(8) show the URLlist quoted
-h "ldap:/// ldaps:///"
And you may want to understand the difference between TLS over port 389 and
SSL over port 636.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
6177
days inactive
6177
days old
openldap-software@openldap.org
6 comments
5 participants
participants (5)
-
Dieter Kluenter -
Geert Van Muylem -
Phillip -
Quanah Gibson-Mount -
Rob Tanner